They were able to reproduce the crash multiple times with thefollowing details:

Crash seems to always happen on the: mutex_unlock(&conn_id->handler_mutex); as conn_id looks to have been freed during this code path.

An examination of the code shows that a race exists in the requesthandlers. When a new connection request is received, the rdma_cmallocates a new connection identifier. This identifier has a singlereference count on it. If a user calls rdma_destroy_id() from anotherthread after receiving a callback, rdma_destroy_id will proceed todestroy the id and free the associated memory. However, the requesthandlers may still be in the process of running. When control returnsto the request handlers, they can attempt to access the newly createdidentifiers.

Fix this by holding a reference on the newly created rdma_cm_id untilthe request handler is through accessing it.